5 Answers
5

While browsing, you can check every time if the certificate that is presented to you by the website is issued by a legitimate CA or its a fake certificate issued by some CA that your browser trusts. Obviously it is not possible do it manually. So, there are tools that do it for you.

Cert Patrol and Perspective are browser plugins that do essentially that. They keep a note of which domainnames are issues by which CAs (eg. Google=>Thwate, etc.) and many other parameters related to the certificates and will alarm the user if either the CA changes OR if the public key in the cert changes.

These are obviously not detection of MITM, they are more like prevention schemes by detecting that something is odd about the certificate presented by the website.

Also while connecting to a SSH server, it asks for the server fingerprint. I'd be alarmed if my ssh client presents me a new fingerprint after I've previously connected to a server. The server host key gets saved to the known_hosts file after first connection, the only reason the client is asking me to validate the fingerprint again is because either the SSH server has restarted/updated OR I am being MITMed.

Absolute paranoia demands you to call the system admin on phone and confirm the fingerprint by making him speak the key. Remember, you should not speak the key lest he'd say 'YES' only for you to discover later that your phone connection was also MITMed :) (funny as it may sound but its not difficult for an attacker to simple change the 'support phone number' on the website where you'd call to verify the key.)

Why does it make any difference who's reading the fingerprint if I might be calling the 'man in the middle'? Surely he's capable of telling me his own bad host's fingerprint.
–
Daniel BeckApr 26 '13 at 17:50

Can you detect a MitM attack? Depends on the type of system being attacked and the type of attack.

Say some sophisticated attacker has gotten control of a router upstream between you and the internet in general and redirects your traffic to fake servers under their control for a MitM (e.g., captures DNS requests and gives phony replies to their servers, or uses Network Address Translation (NAT)).

Now let's say you go to http://www.facebook.com and get directed to a http login page under the attackers control. Foreseeably the attacker could throw up a page that mimics facebook's login page, captures your authentication information, and uses that information to connect to the real facebook, and then directs the content from the real facebook to your browser. This could be done near seemlessly with the exception of the hidden form post action not being https on the initial login page. Let's say instead your settings are to always use https for facebook, and you went to https://www.facebook.com. The MitM attack would send red flags to the browser, as the attacker will not have a trusted certificate for facebook.com. Granted, many users would ignore these browser warnings (as sometimes they occur for benign reasons like an expired key or an intranet site not using a self-signed key). This all assumed that the attacker has not additionally managed to hack into facebook and get their private certificates OR compromise a CA (certificate authority) to be able to generate phony certificates trusted by most web browsers OR previously alter your web browser so it trusts/doesn't warn about invalid certificates.

In general with http it is near impossible to detect MitM attacks, but with https your browser should automatically detect and warn you about, unless the attacker has already compromised your system or the system at the other end (including the CA as a system at the other end).

Next example: ssh. Again, uses private-public server keypairs to authenticate computers. So if I frequently ssh into my work machine from my home computer, my home computer has recorded and trusted the public key of my work machine (which is kept in a file ~/.ssh/known_hosts). If a MitM attack was attempted when I am connecting from my home machine, ssh would immediately notice that the MitM machine did not have the private key of my work machine and would not let me login (unless I specifically removed the public key from my known_hosts list; which I would only do if say I upgraded to a new machine or changed the server key). Again, MitM attacks over ssh are very easy to detect unless the attacker either already broke into my work machine as root and copied the private key to a his host OR already broke into my home machine and changed the public key for my work machine recorded in ~/.ssh/known_hosts OR its my first time connecting to the server (and I do not have the server in my known_hosts or recognize its host fingerprint).

Many answers here will tell you how to check for specific MITM attacks, which I believe is not the point.

A MITM doesn't mean the attacker will try to decipher your data stream and present you with a different key/fingerprint. He is just a node between you and your destination host.

There are many ways to get into a MITM situation, each can be prevented by proper network administration, all the nodes between you and your destination host should be secured. Each network should be designed to resist to every MITM possible, including abusing routing protocols, ARP spoofing, DNS spoofing, simply installing a physical bridge, etc.

In order to achieve security, being caught in a MITM attack should not matter, you cannot rely on trust and luck and you cannot control the internet, you have to assume you are on a hostile environment unless proven secure by a proper audit.
Using secure protocols like TLS, SSH and potentially IPSec, can make your network more secure, authenticate and crypt your data. However it's always vulnerable at some point and most of the time it comes from either a misconfiguration or a flaw in the protocol/implementation itself.

In short, don't detect MITM, but instead:

Secure your LAN or ask someone to do it

Set up secure tunneling protocols to access secure distant networks and systems

Detecting MITM is possible but it's related to what you use, port security for CISCO IOS or just using SNORT on any Unix box. You can't possibly get an exhaustive list, it just match a given situation and besides, attackers are always creative enough to find something you didn't think about, so refer to my 2 above advices.

You can check your ARP table. Or you can look at the good website
MITM TUTORIALs which explains in depth what is a man in the middle and how to avoid them.
I guess reading its tutorial will give you an excellent idea about what is happening and how to prevent it, as well as how to detect them.

I've looked over all 6 of his pages on MITM attacks, and it basically seems like a tutorial on how to do them. I could find no inormation on how to detect when it's happening. So far the only thing I've found is nakkaya.com/mocha.html and I'm not sure if that's a good solution or not.
–
TigerCodingFeb 23 '12 at 14:36

I just checked ! and you'r right ... he moved the other part. I'll try to find it somewhere else !
–
noktecFeb 24 '12 at 10:59